Systems, structures, and processes for interconnected devices and risk management

ABSTRACT

Techniques are provided that produce a risk profile consisting of a risk score and trends of risk scores across devices and sensors in a machine-to-machine (M2M) or Internet of things (IOT) environment. For example, a device is assigned a risk score which is based on baseline factors such as expected network packets between two devices, normal network packets, access to critical devices, authorized access requests from one device to another device, normal communications to a device, and the critical ports of a device; access to and conflicts across physical, logical, and operational systems; historical and current usage of these systems, and anomalies from normal behavior patterns. Techniques encompass risk management by computing a risk score in a timely fashion in accordance with an architecture that enables achieving the required scaling necessitated by the huge number of devices in the machine-to-machine (M2M) or Internet of things (IOT) environment.

CROSS REFERENCE TO RELATED APPLICATIONS

This patent application is a continuation of U.S. patent applicationSer. No. 15/583,645, filed May 1, 2017, which is a continuation of U.S.patent application Ser. No. 15/138,070, filed Apr. 25, 2016, which is acontinuation-in-part of U.S. patent application Ser. No. 14/210,016,filed Mar. 13, 2014, which claims priority from U.S. Provisional PatentApplication No. 61/800,351, filed Mar. 15, 2013, the entirety of each ofwhich is incorporated herein by this reference thereto.

BACKGROUND OF THE INVENTION Technical Field

This invention relates generally to the field of computer-relatedmethodologies for handling complex risk and security challenges ofsystems of an enterprise. More specifically, this invention relates tosystems, structures, and processes for interconnected devices and riskmanagement.

Description of the Related Art

Insider threat is always present and manifests itself in many ways. Amalicious insider has the potential to cause more damage to anorganization and has many advantages over an outside attacker. Forexample, they have legitimate and often privileged access to facilitiesand information, have knowledge of the organization and its processes,and know the location of critical or valuable assets. Insiders may knowhow, when, and where to attack and how to cover their tracks. Forinstance, an individual who was given two weeks' notice before beingterminated and who is disgruntled can access a facility during offhours. Today, a disgruntled employee, i.e. an insider threat, can wreakhavoc on IT systems, financial system, physical facilities, etc.,because not all insider threats are monitored correctly, if at all.

In the past few years a new paradigm has emerged referred to as theInternet Of Things (“IOT”). IOT has received massive attention andadoption. IOT is combination of the interconnection of devices andsensors, etc. (things) and their data exchange (referred to as machineto machine (M2M)). M2M also includes but is not limited to remotecontrol capability. An IOT environment enables devices to become smart.Usage of IOT is in many different industries such as energy and utility,healthcare, manufacturing, smart cities, wearable, and automotive toname a few. As per some estimates, by 2020 there will be 20 to 30billion interconnected devices.

SUMMARY OF THE INVENTION

Techniques are provided that produce a risk profile consisting of a riskscore and trends of risk scores across devices and sensors in amachine-to-machine (M2M) or Internet of things (IOT) environment. Forexample, a device is assigned a risk score which is based on baselinefactors such as expected network packets between two devices, normalnetwork packets, access to critical devices, authorized access requestsfrom one device to another device, normal communications to a device,and the critical ports of a device; access to and conflicts acrossphysical, logical, and operational systems; historical and current usageof these systems, and anomalies from normal behavior patterns.Techniques encompass risk management by computing a risk score in atimely fashion in accordance with an architecture that enables achievingthe required scaling necessitated by the huge number of devices in themachine-to-machine (M2M) or Internet of things (IOT) environment.

The identity and asset risk scoring framework provides an excellentfoundational mechanism for an IOT risk management mechanism. However,because IOT includes machine-to-machine communication between a fairlylarge number of devices, the data volume requirement is huge andrequires a scalable, high throughput and robust mechanism. Thus, in anembodiment additional risk contributing factors for IOT are incorporatedinto the existing identity and asset risk scoring contributing factors.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a high level risk scoring solutionarchitecture, according to an embodiment of the invention;

FIG. 2 is a compilation of four sample screen shots of the risk scoringdashboard, according to an embodiment of the invention;

FIG. 3 is a sample screen shot showing risk score by actor as a drilldown, according to an embodiment of the invention;

FIG. 4 is a sample screen shot of a summary view for viewing ormodifying an identity, according to an embodiment of the invention;

FIG. 5 is a sample screen shot of a profile view for viewing ormodifying the profile of an identity, according to an embodiment of theinvention;

FIG. 6 is a sample screen shot of a roles view for viewing or modifyingthe roles of an identity, according to an embodiment of the invention;

FIG. 7 is a sample screen shot of a training view for viewing ormodifying the training/certification of an identity, according to anembodiment of the invention;

FIG. 8 is a sample screen shot of a screening view for viewing ormodifying the types of screening associated with an identity, accordingto an embodiment of the invention;

FIG. 9 is a sample screen shot of a behavioral patter view for viewingthe user risk score built on behavior, activity, access, and usage,according to an embodiment of the invention;

FIG. 10A-10F is a schematic diagram of the data schema, according to anembodiment of the invention;

FIG. 11 is a graph of a statistical distribution of a risk score,according to an embodiment of the invention;

FIG. 12 is a colorized graph of a particular a departmental dashboard ofrisk score totals, according to an embodiment of the invention;

FIG. 13 is a colorized graph at drill down level 1, a view of riskdistribution for the training department, according to an embodiment ofthe invention;

FIG. 14 is a table at drill down level 2 of identities who belong to theIT department, according to an embodiment of the invention;

FIG. 15 is an identity view with the risk score at drill down level 3,according to an embodiment of the invention;

FIG. 16 is a view of events that contributed to the score at drill downlevel 4, according to an embodiment of the invention;

FIG. 17 is a schematic diagram showing mock-ups of comparativedashboards by department, according to an embodiment of the invention;

FIG. 18 is a mock-up configuration screen of various input factors,according to an embodiment of the invention;

FIG. 19 is a mockup of resource reconciliation policy page where anevent trigger can be configured as a risk, according to an embodiment ofthe invention;

FIG. 20A-20B is a risk scoring job sequence diagram, according to anembodiment of the invention;

FIG. 21 is a block schematic diagram of a system in the exemplary formof a computer system, according to an embodiment of the invention;

FIG. 22 is a schematic diagram of an architecture of a solution,according to an embodiment of the invention;

FIG. 23 is a flow diagram of anomaly detection through predictiveanalytics, according to an embodiment of the invention;

FIG. 24 is a schematic diagram showing the data and processes thatinteract with the risk profile/score component, according to anembodiment of the invention;

FIG. 25 is a sample screen shot showing risk score details, according toan embodiment of the invention;

FIG. 26 is a schematic diagram showing the data and processes thatcontribute to a situational awareness and incident response, accordingto an embodiment of the invention;

FIG. 27 is a schematic diagram showing the data and processes for aunified identity profile to enables intelligent decision making,according to an embodiment of the invention;

FIG. 28 is a sample screen shot of mobility solutions, according to anembodiment of the invention;

FIG. 29 is a schematic diagram showing the big data architecture,according to an embodiment of the invention;

FIG. 30 is a schematic diagram showing a technical architecture,according to an embodiment of the invention;

FIG. 31 is a sample screen shot of a plurality of assets potentially atrisk on a geographic information system (GIS) map, according to anembodiment of the invention; and

FIG. 32 is a sample screen shot of asset risk score visualization for aparticular asset of FIG. 31, according to an embodiment of theinvention.

DETAILED DESCRIPTION OF THE INVENTION

Techniques are provided that produce a risk profile consisting of a riskscore and trends of risk scores across entities such as user identitiesand other objects. For example, an identity is assigned a risk scorewhich is based on baseline factors such as HR attributes, such astraining and screening status; access to and conflicts across physical,logical, and operational systems; historical and current usage of thesesystems, as well as anomalies from normal behavior patterns. Techniquesherein encompass the management of a risk profile (“behavior profile”)for each entity, e.g. identity, and maintains a risk score that iscorrelated with behavior, e.g. an individual's behavior, to trackanomalies or irregularities in every day routines of the entity, e.g.individual.

An embodiment of the invention can be understood with reference to FIGS.1-9. FIG. 1 is a schematic diagram of a high level risk scoring solutionarchitecture. Baseline scoring data including but not limited toidentity data, access data, training, screenings, and incidents data,and historical activity data are inputted into an identify warehouse.Identity warehouse hosts, but is not limited to hosting, an identityprofile, access information, risk score information, and behaviorpattern data regarding individuals. As well, identity warehouse containsa risk scoring and predictive analytics engine that runs on Hadoop, SAPHANA, etc. It should be appreciated that the particular details are byway of example only and are not meant to be limiting.

The embodiment also is configured for ongoing monitoring. Behavior andanomaly processes and data enable but are not limited to enablingmonitoring riles and providing predictive analytics. Changes andbehaviors processes and data enable but are not limited to enabling ormonitoring identity changes, training and screenings failures, andviolations.

The embodiment is also configured for responding to the monitoringprocesses by a response and alerting component. The component isconfigured to provides but is not limited to providing reports,analytics, and alerts.

An embodiment of the invention can be understood with reference to FIG.2, which is a compilation of four sample screen shots of the riskscoring dashboard. The four reports are color-coded and include medianrisk score, risk score bar chart, risk score heat map, and number ofwork items by time period.

An embodiment of the invention can be understood with reference to FIG.3, a sample screen shot showing risk score by actor as a drill down. Forbusiness unit, IT, a list of actors, their respective user risk scores,and a data are displayed.

An embodiment of the invention can be understood with reference to FIG.4, a sample screen shot of a summary view for viewing or modifying anidentity. A summary page for a particular contractor is displayed. Onthis page, the user can view and modify the identity by selecting anaction or create a request by selecting a request category from adropdown box.

An embodiment of the invention can be understood with reference to FIG.5, a sample screen shot of a profile view for viewing or modifying theprofile of an identity. The profile information can include but is notlimited to including name, social security number (optionally disguisedso as not to be shown), badge identification number, employee type, andso on.

An embodiment of the invention can be understood with reference to FIG.6, a sample screen shot of a roles view for viewing or modifying theroles of an identity. For example, generated and displayed are rolesnames, status, data, last recertified, and recertified by. It should beappreciated that these details are by way of example only and are notmeant to be limiting.

An embodiment of the invention can be understood with reference to FIG.7, a sample screen shot of a training view for viewing or modifying thetraining/certification of an identity. By way of example only and notmeant to be limiting, generated and displayed are training orcertification, status, attest date, attested by, and expiration date.

An embodiment of the invention can be understood with reference to FIG.8, a sample screen shot of a screening view for viewing or modifying thetypes of screening associated with an identity. By way of example onlyand not meant to be limiting, generated and displayed are screeningname, status, date, last recertified, and recertified by. Examples oftypes of screenings are background checks, drug test, ICS training,yearly compliance training, and the like.

An embodiment of the invention can be understood with reference to FIG.9, a sample screen shot of a behavioral patter view for viewing the userrisk score built on behavior, activity, access, and usage. Determinedand displayed are information regarding physical access system access,personnel information, and human resources information. For the physicalaccess display, three types of alerts are shown such as access attemptsoutside of their normal working hours, access inactivity (over 30 dayswithout use), and history of access issues.

An embodiment of the invention can be understood with reference to FIG.10A-FIG. 10F, a schematic diagram of the data schema. For example, datablock are defined for but are not limited to a risk rule, activity data,risk score factors, and so on. For ease of reading, FIG. 10 has beensplit into six parts, namely, FIG. 10A to FIG. 10F.

Exemplary Risk Profile and Risk Score Requirements

An exemplary embodiment can include but is not limited to including thefollowing components or processes from a user's perspective, but notlimited to being from a user's perspective. It should be appreciatedthat particular details are by way of example only and that one skilledin the art would readily recognize that certain substitutions,additions, or omissions can be made without altering the scope of theinvention.

Data Source Integration.

In an embodiment, the risk engine is capable of being a stand-aloneproduct. It has its own data infrastructure capable of processing heavyvolumes of quick reads and writes. It is required to interface with theIdentity Warehouse as its main source of information to compute anidentity's risk score and profile. The risk engine has its own datastructure to capture data related to behavioral patterns such as time ofentry in an access point, badge-out times, as well as remediation datasuch as alerts and actions. The component is configured to work withother vendors' identity warehouses.

Dashboards.

As an end-user or admin who has been given permission to run the riskdashboard, he or she desired to be able to run a heat-map chartdashboard referred to herein as Risk Scores By Business Unit. This couldbe location, cost center, division, etc. This configuration allows theuser to select Business Units to chart. The aggregated median riskscores for those departments are charted, color-coded, with legends andthe percent distribution. The heat map regions are clickable, whichinvokes a popup window of another pie chart that breaks down thedistribution of contributing factors, e.g. training or usage, for theselected department. There is further drill down, i.e. when the pieslice is clicked, another window pops up with a statistical distributionchart. Further drill down can happen when the user clicks on a sectionof the distribution chart, for example, top 2%. Only the departmentmembers who fall on that percentage appear in the list. When a name isclicked, it can open another window that shows the user the IdentityView of the person, which can also show the drill-down of why the personhas that score. One skilled in the art can readily refer to FIGS. 1-9 aswell as FIGS. 11-19, described hereinbelow.

It should be appreciated that the drill-downs are role-based andconsider security permissions, i.e. the person cannot drill down to datathat he/she does not have permissions to view.

An end-user or admin allowed to run dashboards is able to run apie-chart of company-wide distribution of contributing factors.Depending on the end-user or admin's permissions, he or she is able todrill down on those contributing factors into specific distribution.

An end-user or admin has the option to run a comparative departmental orother organizational (cost center, location, division etc.) trendanalysis chart on selected departments. For example, the chart can be aline graph with the risk score totals per department as shown in FIG.17.

An end-user or admin is able to run a dashboard that allows the end useror admin to view over x months, a department or organization's (costcenter, location, division etc.) risk contributing factors. Time andother criteria are selectable as filters/scope as shown in FIG. 17.

An end-user or admin is able to run a comparative trend charts onselected departments (cost center, location, division etc.). Forexample, the chart may be a line graph with the median or average scoreper department. The x-axis can represent the time as shown in FIG. 17.

It should be appreciated that a median is the middle number when allscores are sorted from lowest to highest. For example, if the scores are1, 3, 6, 8, 9, the median is 6. In the case of an even number of scores,the two middle numbers are averaged out. An average is the total of allscores divided by the number of scores.

Change of Access.

As an approver of a change of access, the end-user can view the numberof points a person's risk score will increase when the end-user approvesthe request, as part of the approval process. The end-user can also seethe current risk score of the person. See for example FIG. 16. Thesystem is configured such that real-time modifications of the risk scorevia access changes, mitigations and associated trainings to reduce therisk score are allowed.

A change in role or access can swing a risk score. This event isdetected during a change of access resulting from a user/data/rolereconciliation process.

Events such as accounts added, modified, deleted, enabled or disableddirectly in a resource may impact the risk score. An embodiment providesfor checkboxes for enabling risk calculation in a ResourceReconciliation Policy page, for example in FIG. 19. The configuration ofthe score assignments are in a setup configuration page.

Risk Remediation.

An embodiment provide means to reduce risk by:

-   -   Removal of access;    -   Training assignments; and    -   Mitigation assignment (after the fact).

An embodiment provides a pre-defined (out of the box) rule that can beused by a Certification process, e.g. Certify project byAlertEnterprise, when the risk exceeds a defined threshold.

An embodiment has pre-defined (out of the box) rule that can be used bya process, e.g. a Certify project, to incorporate risk into the list ofusers for a project. For example, an embodiment contemplates thefollowing functionality:

-   -   recertify access to all users with critical-risk score monthly;    -   recertify access to all users with high-risk quarterly;    -   notify manager of access to all users with medium risk        quarterly;    -   initiate alerts with associated standard operating        procedures(sop); and    -   send email to manager of risky access.

An embodiment provides an out of the box sample implementation of acertify process, e.g. a Certify project, that warns managers of trainingabout to expire, example, in 15 days.

The solution allows for bulk mitigation actions, such as ad-hoccertification, for high-risk user populations discovered via reportingor analytics.

Risk Calculation.

An embodiment provides an indication in a configuration page that RiskScoring is enabled or disabled. If enabled is checked, the applicationwarns the admin to make sure he needs to do these steps before the riskscore will get enabled (1) allocate risk points for each contributingfactor in the configuration page (2) runs a job that calculates therisks for all identities for the first time. Without these steps, therisk scores may not get the baseline points. If the Risk Scoring isdisabled, then no calculations are being done throughout theapplication. If silent mode, calculations are being carried out, butactions and alerts are not enabled.

An admin can configure Identity/user profile attributes fromauthoritative sources such as HR/Contractor databases (DB) that are tobe used to influence a person's baseline risk score, such as location,department, employee status. Corresponding points can be entered in theconfiguration screen. The admin is enabled to enter composite/complexrules such as for example:

-   -   If location=“SJC”, then risk=4. If Location=“OAK”, then risk=4.    -   But if location is both “SJC” AND “OAK”, then risk=6.

An admin is able to configure attributes related to training andscreening validity and status as contributing factors to a risk score.The admin can enter their corresponding points in the configurationpage.

Examples of these factors are: training expired, background checkexpired, background check failed, and training failed.

An admin can configure Access contributing factors and theircorresponding points in a configuration page.

Importantly, the admin is to associate risk/sensitivity levels ateither/or and combinations of

-   -   System level (CIP Asset, PII DB, PHI DB, Credit Card DB etc.);    -   Roles (Accounts Payable, etc.);    -   Entitlements (Create New Business Account etc.); and    -   SOD's (Create Account & Pay Bill).

The expected risk/sensitivity levels are as above and Low, Medium, Highand Critical with expected score impacts.

Examples of access factors are: SOD's and associated levels, Roles,Entitlements to physical, IT and operational systems that are deemedmore sensitive and critical than others, such as CIP assets, credit carddatabase tables, PII tables (personal identifiably information), PHI(personal health information), system tables, etc.

An admin can enter Usage contributing factors and their correspondingpoints in a configuration page.

Examples of usage factors are: SOD violation levels, repeated failedbadge swipes, inactivity, etc. A list of triggering events can bereferred to in the later part of this discussion. As well, usage factorscan be related to/based on the risk associations defined hereinabove.

An admin can enter Ad Hoc contributing factors and their correspondingpoints in a configuration page.

It should be appreciated that an embodiment provides a separaterequirement for a manual data entry screen for incidents/violations.

Risk Calculation—Rule Builder.

The Rule Builder in the configuration page is flexible in that the usercan add values to the drop-down lists in the same interface. The RuleBuilder in the configuration page is flexible in that the user can add acategory of contributing factors.

As an admin/end-user with ownership to run it, the admin is enabled toclick on a “Risk Distribution of Identity Population”. This produces agraph or chart that shows the score distribution of all users. This canbe a graph/plot of number of users v/s score, i.e. statistical ideal isa bell curve. One purpose is tell the admin whether the scores for thedepartment is appropriate, it might be too high or too low. This is avisualization to enable the admin/end-user to see if there are too manyusers with high scores.

In the configuration page, the admin is able to click on a “Preview theIdentity Population”. This produces a graph or chart that shows thescore distribution of all users. This should be a graph/plot of numberof users v/s score, i.e. statistical ideal is a bell curve. One purposeis tell the admin whether the baseline scoring that he has assigned toHR attributes might be too high or too low. This is a simulation tool togive the admin visibility that the points allocated are realistic and toenable the admin to see if there are too many users with high scores.

Risk scores can be calculated at real-time, i.e. whenever an eventhappens that is considered a contributing factor. These events caninclude real-time and reconciliation or batch based events. The scorecan increment by those points. The identity view can reflect the changeof score, as well as any view that shows the score of a person, e.g.dashboards, change of access.

When an admin changes the points allocated in the risk configurationpage, there is a warning that indicates he needs to run a batch job thatrecalculates everybody's scores.

In an embodiment, the application can provide a batch job to recalculatethe risk scores. The job can be filtered by department, by division, bylocation, but the default can be for all identities. This is used whenthe formula and risk points for contributing factors have changed. In anembodiment, the option for this job can be paged so that it can be runin chunks.

Application or Resource Risk.

In an embodiment, risk score are assigned to applications or resourcesbased on factors such as number of orphans, dormant, shared or serviceaccounts. This process can be referred to as Resource Risk Scoring andcan be combined with the risk associated with the resource itself.

Audit.

An embodiment is configured for tracking of risk scores over time fortrending analysis. An audit trail can keep track of what was incrementedor decremented from the risk score, what event happened, and thedate/time it happened. The event or contributing factor can be specificwhether it was from a real-time change or from areconciliation/background process.

An audit trail for the administrator who maintains the riskconfiguration page can be maintained. Useful information are: changethat happened, who made the change, when the change was made.

Content Pack.

An embodiment includes a standard library of risk templates to speedconfiguration and deployment of a risk-based compliance methodology.

Ad Hoc Incident Entry Form.

In accordance with an embodiment, a solution can allow for the end-user,given the right permissions, to manually enter incidents, citations,violations. The following fields can be captured: date/time, personinvolved (search from identity master), incident description,criticality (high, medium, low). The ID of the person entering therecord can be captured from the login. The task is workflow driven andcan be forwarded to an approver, with notes and attachments capability.The event of creating this record can go into an audit trail. The eventcannot show up in the History of the identity in the Identity View. Onlycertain administrators can view this data. These incidents cancontribute to the risk score based on the configurations.

Ad Hoc Incident Report.

An embodiment is configured to generate a report of the ad hocincidents, filtered by date ranges or the person who reported theincident.

Report Builder.

An embedment is configured to expose the Report Builder and an IdentityWarehouse view so that consultants on premise and the customer cannot bedependent on engineering on creating specific reports.

Watch List.

In accordance with an embodiment, everyone on the watch list canautomatically generate real-time alerts regardless of type of activityfor sensitive/risky systems. It should be appreciated that the behavioror the risk score does not matter.

An admin/security-admin can configure the risk score that adds a personto the watch list. The person who owns the identity is not able to seethat they are on the watch list or their score.

An admin/security-admin can check a checkbox in the Identity Profilethat says “Add to Watch List”. The person who owns the identity shouldnot be able to see this checkbox.

Business Intelligence and Big Data Analysis.

An embodiment provides a solution that is able to interface with BigData Analytics platform such as Hadoop, Autonomy and/or SAP Hana.

Behavior Pattern Capture.

In an embodiment, the solution is able to capture behavior patterns. Foreach person, the system captures all the events (time of badge in, lobbyentry, time of badge out, etc.), the median of the time the eventhappens over a time range (time range is configurable), the standarddeviation over the course of time range, and what it was same time lastyear. Only admins with the permissions are able to view these aggregatedentries.

Abnormal Behavior Pattern Recognition.

An embodiment provides a solution that is able to identify anomalousbehavior. This can be time-based or location-based departure from hisnormal behavior. The number of anomalous events that happens in asequence that can trigger an alert can be configurable as an actionrule. Part of the configuration can be the increment to the risk score.

If the person is attempting to access an asset, access point, or systemthat is considered critical, an alert is issued out right away if thecustomer chooses to. This is configured in an action rule which may ormay not be activated. Part of the configuration is the increment to therisk score.

If the person is attempting to access an asset, access point, or systemthat he does not even have access to, an alert is issued out right awayif the customer chooses to. This is configured in an action rule whichmay or may not be activated, along with the increment in the risk score,if any. This is based on the principle that a person should not evenattempt to use his/her badge in an area that he is not allowed entry.

A lack of badge-in event is considered an anomaly and can be looked atas part of a sequence of abnormal events. An alert can be issued, whichis configurable. The increment to the risk score is also configurable.

A new hire can be given an x-day probation period, whereby his eventsare recorded but are not alerted out as abnormal behavior. This isbecause he has no history recorded yet, and the solution may most likelytrigger an alert. X should be configurable. This does not override otheralerts, only for the behavior anomaly recognition.

If a person is rehired into the same position he/she can be given aprobation period, wherein his/her events are not recorded but are notalerted out as abnormal behavior. This is because the end user's historymay not be appropriate given the new role.

This does not override other alerts, only for the behavior anomalyrecognition.

If a person is transferred into a different position, the system treatshim as a new hire, i.e. he is given an x-day probation, where his eventsare recorded but are not alerted out as abnormal behavior. This does notoverride other alerts, only for the behavior anomaly recognition.

Asset Criticality Configuration.

In an embodiment, in the assets section a table and UI are provided suchthat criticality or sensitivity levels of assets/access points can beconfigured.

Configuration.

In an embodiment, a risk scoring/predictive analytics admin is able toconfigure in a screen the following: the number of days probation fornew hire, the risk score increment for a new hire, the number of daysfor a person who just got transferred, time range for calculating themedian, and standard deviation of the same event per person.

Predictive Analytics UI.

An embodiment provides a graphical representation of a person's behaviorpatterns that can be invoked using filters. Filters can be the events,the time range, etc. One can drill down into the data depending on theportion of the graph that is clicked. Raw data can be shown, as well asthe identity profile of the person.

Display Risk in Certify project.

In an embodiment, when the approver opens a certification process windowsuch as a Certify project, he can see the risk score for each of theusers.

Display Risk in Alert Action alert.

An embodiment display the risk score of the person that produced thealert. One or more embodiments of the invention can be described withreference to FIGS. 11-19. FIG. 11 is a graph of a statisticaldistribution of a risk score. FIG. 12 is a colorized graph of aparticular departmental dashboard of risk score totals. FIG. 13 is acolorized graph at drill down level 1, a view of risk distribution forthe training department. FIG. 14 is a table at drill down level 2 ofidentities who belong to the IT department. FIG. 15 is an identity viewwith the risk score at drill down level 3. FIG. 16 is a view of eventsthat contributed to the score at drill down level 4. FIG. 17 is aschematic diagram showing mock-ups of comparative dashboards bydepartment. FIG. 18 is a mock-up configuration screen of various inputfactors. In an embodiment, the rule builder is more flexible than asdescribed herein. FIG. 19 is a mockup of resource reconciliation policypage where an event trigger can be configured as a risk. In anembodiment, a score increment can be assigned/decided on these eventtriggers.

Exemplary Use Cases and Reference Implementation with Risk Score Impact

Below is a table, namely, Table A, that outlines the risk score impactsbased on the identity behavior, in accordance with an embodiment. In theembodiment, a risk score baseline is established upon on-boarding of theidentity. the baseline is assigned based on the risk profile. Theidentity starts off with a perfect score, and starts incrementing ascontributing factors in his risk profile are assigned, such as locationor department. The score continues to get higher as access to high risksystems or roles are assigned. the score gets recomputed regularly asusage data in the identity store gets populated, such as violations. Thehigher the score, the higher the risk. It should be appreciated that therisk score may be a positive or negative number.

TABLE A USE CASE RISK SCORE Risk Score Baseline Start with zero,incrementing based on per attribute assigned score Access to a high riskarea +10 Security personnel can bypass the regular +10 securitycheckpoint (Applies to Security Personnel or Airport staff) BackgroundCHRC, PRA, No-Fly Check +10 if Poor (if applicable) Do Not Admit ListCheck Access Levels for Airport SIDA (+10) SIDA Sterile (+5) Sterile AOA(+10) AOA Secured (+5) Secured Public (+3) Public Access containsCritical SOD(+10) Critical SOD PII/Critical CIP/ PII/CriticalCIP/Sensitive System Sensitive System (+10) Sensitive Task withoutmitigation Sensitive Task without mitigation (+5) Sensitive Task withMitigation Sensitive Task with Mitigation (+3) Pattern of individualtypical working hours  5 from 9 am-5 pm. Then unusual badge usage at 2amon a given day.

More Exemplary Use Cases

-   -   Pattern of individual typical working hours from 9 am-5 pm. Then        unusual badge usage at 2 am on a given day.    -   Pattern of individual changing typical work hours after an        annual or semi-annual HR review period.    -   Pattern of typical working hours from 9 am-5 pm. Then unusual        badge usage at 2 am on a given day when the individual has less        than 30 days on the job (employee/contractor expiration date is        within 30 days.)    -   Pattern of using badge multiple times within a short period,        such as 20 min. This can be due to suspicious activity.    -   Pattern of two people using their badges at the same location(s)        at the same time. One has access and other does not (two-man        rule).    -   Pattern of individual tailgating to access a location he/she        does not have access. This can be tracked with camera setup to        scan a particular activity or when door is held open too long.        May require video analytics integration.    -   Pattern of individual not accessing the network for X number of        days. This can be that the individual is on vacation, no longer        with the company or using another identities login credentials.    -   Pattern of individual not accessing the facility for X number of        days. This can be that the individual is on vacation, no longer        with the company, reported a lost/stolen badge or using another        identity's lost/stolen badge.    -   Pattern of frequent access to a Sharepoint/document management        location and downloading documents. This can mean that are        stealing proprietary or trade secret information.    -   Logged into VPN and present in the building.    -   Pattern of accessing the same facility, then the individual        attempts or accesses another facility. The person could have        access or be using a lost/stolen badge.    -   Tailgating case? Perhaps the person did not badge to get into        the building, but badged into the datacenter.    -   Individual did not badge to get into the building, but logged        into the network.    -   Person opens the door and leaves the door open.    -   Force door open with no badge.

Exemplary Reports and Dashboards

An embodiment is configured to provide a wide variety of reports anddashboards, including but not limited to the following.

User Profile Report. Report listing badge usage over a period of time byuser. Filter by location, user or time period.

Badge Access Anomaly Report. Displays the profile anomalies of unusualactivity, such as but not limited to a badge usage after hours. Filterby location, user or time period.

User Frequency Report. Displays pattern of using badge multiple timeswithin a short period, such as 20 min. This could be due to suspiciousactivity. Filter by user or location.

Potential Tailgating Report. Displays common activity of a profiletailgating another user into a location. Filter by location. It shouldbe appreciated that this can require a configuration based on door heldopen too long and video analytics.

User Outlier Report. Displays the average times, e.g. standarddeviation, a location is accessed, the badge usage for a particular andhow often the location is accessed exceeding the average/deviation.

Team Outlier Report. Displays the average times, e.g. standarddeviation, a location is accessed and the badge usage for each profile(user 1 and user 2) and how often the location is accessed exceeding theaverage/deviation.

Badge Access Pattern Profile Dashboard. Dashboard providing badge accesstime patterns over a period of time. This dashboard can be a line graphthat displays spikes based on profile badge behavior. Filter by user.

Exemplary External Interface/Integration Requirements

One or more embodiments can be configured to but is not limited to beingconfigured to:

-   -   Interface with various HR systems to provide intelligence        reporting over occurred event;    -   Interface with a business intelligence tool;    -   Interface with various physical systems to provide usage and        monitoring information;    -   Interface with various logical systems to provide usage and        monitoring information; and    -   Interface with various operational systems to provide usage and        monitoring.

Exemplary Use Case and Dashboard, Source Type, and Events

In an embodiment, the following risk parameters used for the algorithmsfor risk scoring include but are not limited to including:

-   -   Role;    -   Periodicity;    -   Physical Access Level Risk;    -   Logical Entitlements;    -   Sensors; and    -   IT Risk (Scoring: C=Confidentiality, I=Integrity,        A=Availability).

In an embodiment, source events include but are not limited to those inTable B.

TABLE B Source Type Event Access Point BadgeIn Access Point BadgeOutAlarm ForcedOpen Alarm HeldOpen Application TransactionExecution SensorSensorDataRead Application ApplicationException Alerting SystemNotificationReceived Access Point HeldOpen Access Point ForcedOpenAccess Point DuressAlarmActive Badge NoBadgeIn Badge NoAccessTransactionAlarm PullStationAlarmActive Alarm MonitorPointinAlarm Access PointMonitorPointinAlarm SCADA System NewValue SCADA System NewConnection

In an embodiment, events include but are not limited to those in TableC.

TABLE C Event Name Description BadgeIn Badge In BadgeOut Badge OutForcedOpen Door opened without a badge swipe HeldOpen Held OpenSensorDataRead Sensor Data Read TransactionExecution TransactionExecution ApplicationException Application ExceptionNotificationReceived Notification Received AlarmGenerated AlarmGenerated AlarmChanged Alarm Settings Changed DuressAlarmActive DuressAlarm/Panic Alarm active PullStationAlarmActive Pull Station AlarmActive NoBadgeIn No Badge In NoAccessTransaction No Access TransactionMonitorPointinAlarm Monitor Point in Alarm NewValue New Value LoginLogin SetPointChanged Set Point Changed ConfigurationChangedConfiguration Changed NewMessage New Message NewConnection NewConnection Status Status

It should be appreciated that persons of ordinary skill in the art willunderstand that apparatus and methods in accordance with this inventionmay be practiced without such specific details as those describedhereinabove.

An Exemplary Risk Scoring Job Sequence

An exemplary risk scoring job sequence can be understood with referenceto FIG. 20A-20B. At step 1, a risk score job is executed at an engine,Riskscore Job 2002. At step 2, a job is run which reads lists ofdatasources from a database using Hadoop's DBInputFormat object. The jobuses DBOutputFormat to generate the reduced data files. At risk scoreJobClient 2004, the Hadoop JobClient object, uses the configured JobConfobject. At step 3, the Hadoop DBIntputFormat object creates splits fromthe list of datasrouces so that each datasource is mapped as a singletask assigned to a Hadoop datanode, as performed by DataSourcesDBInputFormat 2006. At step 4, each mapper extracts information/eventsfrom a datasource and collects by userid. In case of simulation themapper merges the extracted data/events with the simulation data/eventssent. The mapper collects the data/event by entity id. These operationare performed by DataSource Mapper 2008. At step 5,DataSourcesDBInputFormat 2006 performs the map operation. At step 6,DataSource Extractor 2010 performs an extractor operation. Utilityclass(es) extract incremental or full data from specific types ofdatasource optionally for specified users (used for simulation). At step7, DataSource Extractor 2010 sends data back to DataSource Mapper 2008.At step 8, DataSource Mapper 2008 sends data back to Risk ScoreJobClient 2004. At step 9, the reduce operation is called byRuleEvaluation Reducer 2012, which is a Hadoop Reducer that isresponsible for calculating risk score or the risk level using matchedrules. At step 10, Rule Engine 2014 calls a match rule operation andreturns the results to RuleEvaluation Reducer 2012 at step 11. At step12, RiskScore Calculator calculates the risk score and returns theresults to RuleEvaluation Reducer 2012 at step 13. At step 14, RiskScoreCalculator 2016 calculates the risk level and returns the results toRuleEvaluation Reducer 2012 at step 15. At step 16, RuleEvaluationReducer 2012 sends data to Risk Score JobClient 2004. At step 17, RiskScore JobClient 2004 invokes RiskEvaluation DBOutputFormat 2018, wherethe Hadoop DBOutputFormat is used to format userid, risk score, risklevel, data source names, and readable rule and data values for matchedrules. The results are sent to Risk Score JobClient 2004 at step 18. Atstep 19, Risk Score JobClient 2004 sends results back to Riskscore Job2002.

Exemplary High Level and Technical Designs for Risk Score Calculation,Risk Score Data and Event Extraction from Data Sources, and Risk Scoreand Risk Level Calculation

An embodiment includes but is not limited to the following high leveland technical designs for Risk Score Calculation, Risk Score Data andEvent Extraction from Data sources, and Risk Score and Risk LevelCalculation. It should be appreciated that the details are exemplaryonly, i.e. for purposes of understanding, and are not meant to belimiting. One skilled in the art would readily recognize substitutions,additions, and omissions that are possible and that are within the scopeof the herein described invention.

Risk Score Calculation.

High Level Design

-   -   1) Create a new Quartz Job implementing IInterruptableJob and        IParameterizedJob called:        -   “Risk Score Job”.    -   2) Parameters for the Job:        -   Run Job for Entity Type: Dropdown of supported entity types:            ‘Identity’, ‘Assets’. Should include an additional entry in            the dropdown labeled “All Entity Types”—this is the default            value of the dropdown.        -   Match Attribute: Dropdown of selected entity type's            available attributes. Can include an additional entry in the            dropdown labeled “No attribute—match condition”—as the            default value of the dropdown        -   Match Value: A text box to enter attribute value        -   Score Calculation: A dropdown with values “Full” (default            value for this dropdown), “Incremental”.

It should be appreciated that the above parameters allow the user tocustomize the job by specific entity type vs for all entities, do notcondition vs condition on an attribute, i.e. value match, and finally,full (re)calculation vs incremental calculation.

-   -   3) Risk Score Job's execute( )method: It should be appreciated        that the job parameters are passed on to both the mappers and        reducers via the Hadoop's JobConf object. Additional parameters        can also be passed in case of simulation (see point 5 below).    -   4) When invoking the hadoop job, a list of data sources are used        as an input file which is “split” using either DBInputFormat or        other text based Input Format objects. Each invocation of the        mapper expects a key/value pair with data source information.    -   5) Simulation: This Quartz Job implementation class can also be        used for the purpose of simulation. The simulate( )method can        expect Entity Type, list of entities, list of Data sources and        their corresponding data/events in the format extracted from        data sources, e.g. conversion to uniform format can be performed        in the mapper. The parameters received for the purpose of        simulation can be passed on to the mapper and reducer as is.

Technical Design

-   -   1) Create a new pojo called HadoopJobStatus in ALNTFabric which        can get persisted to db, i.e it needs a hbm file. Other fields        can be ‘type’ of hadoop job (for risk score calculation:        ‘scheduled’ job execution or ‘simulation’ or ‘adhoc’), date/time        started, date/time ended. These parameters can be expanded as        needed. This class can be used later for tracking other types of        hadoop jobs as well.    -   2) Before hadoop is invoked to calculate risk score (for either        scheduled job execution or simulation or adhoc), create a new        instance of HadoopJobStatus and save it in the database first.        The generated id can be used as the <hadoop job status id>.    -   3) The <hadoop job status id> from above is used as root for        input/output directories in both HDFS and local files system.    -   4) The quartz job queries for data sources from db (using        existing services/dao) and generates the data sources list file        in local file system. The format of generated file is        <key>q<value>, i.e tab separated key value pairs. The key is the        data source name and the value is xml string such as below:

<riskscore-input>   <datasource-type>Incident</datasource-type>   <!--will expand as needed --> </riskscore-input>.

It should be appreciated that the data sources list can potentially bebig based on customer's environment and configured rules.

-   -   5) The quartz job specifies <hadoop job status id>+“/input” as        hdfs directory for “put” as well as input directory for “jar”        commands.    -   6) The quartz job specifies <hadoop job status id>+“/output” as        the output path for the “jar” command. The output file can        potentially be large based on number of entities (such as users)        that end up in risk score calculation.    -   7) The quartz job is responsible for using “get” to read        hadoop's output into local file system and process as needed.        The output file can be of format: <key>q<value>, i.e tab        separated key value pairs. The key is the entity id (such as        user id) and the value is xml string with format such as below:

  <riskscore-output>     <entity-id>1234</entity-id> <!-- repeating thekey here ... easier to parse later -->     <riskscore>550</riskscore>    <rule-match>       <rule-desc>user friendly rule name fordisplaypurpose</ rule-desc>       <data-match>         <attr-match>          <attr-name>attr name</attr-name>           <attr-value>attrvalue</attr-value>         <attr-match>         <!-- repeat attr-matchas needed>       </data-match>     </rule-match>   <!-- repeat rulematch as needed --> </riskscore-output>

-   -   8) The quartz job processes the hdfs output as follows for each        entity in the output file. It is important to commit data        related to one entity at a time to avoid long holding of locks        on the effected tables, i.e keep the db transactions short to        avoid UI ‘clocking’.    -   9) For scheduled job execution and adhoc call: clean all the        previous risk score output records for the entity id and then        insert all the data from xml format to db tables. It is        contemplated that the db tables are designed to store risk score        output.    -   10) For simulation call return only the entity id and risk score        as a hashmap and disregard other information to ensure memory        usage is only as needed.

Risk Score Data and Event Extraction from Data Sources.

High Level Design

Hadoop Mapper: This implemenation of hadoop mapper expects the jobparameters in the configure( )method's JobConf parameter and conditionsthe processing based on the parameters in JobConf object.

-   -   1) The implemenation of map( )method expects a key/value        representing the datasource for which the extraction is being        currently done. The mapper extracts data/events only for the        data source received in the key/value. The mapper uses data        source specific utility classes for data/event extraction.    -   2) Irrespective of the data source, the extracted data/event is        converted to a uniform data format for later processing step by        reducer.    -   3) The mapper collects the extracted data/events into the output        collector using the entity type and entity id encoded as the        key.    -   4) Simulation support: This is the mapper needed to support        simulation. For the purpose of simulation, the JobConf object        available in configure( )method can be used to receive        additional entity type, entity id, data sources and the        data/events that are to be converted to uniform data format and        collected by output collector grouped by entity type and entity        id encoded as key.    -   5) The reducer can thus use the information to reduce and        calculate risk score and risk level.

Technical Design

Create an interface IDataSource, with at least one method “extract”. Theclasses implementing this interface are responsible for extracting datafrom the data source passed as parameter in the extract method. This isused by mappers.

Create a factory class called DataSourceFactory, which is responsiblefor creating an instance of data source implementing IDataSourceinterface based on the type of data source (one IDataSourceimplementation is available for each supported data source type).Register it as a bean in spring context

Create a mapper called DataSourceMapper, which is responsible for usingDataSourceFactory to create an instance of IDataSource and starts theextraction process.

Risk Score and Risk Level Calculation.

High Level Design

1) Rule Evaluation Reducer: This implementation of hadoop reducerexpects entity type and entity id encoded as the key and the data/eventsfrom various data sources for that entity as values. The reducer invokesRule Engine for any rule matches. It invokes the Risk score calculatorto determine the risk score and risk level based on matched rules.

2) The output of the reducer is entity type, entity id, risk score, risklevel, string representation of rule, e.g. in case rule changes aftercalculation, data values, e.g. to be able to inspect the values whichresulted in the rule match in case data changes after calculation.

3) The output can be saved to db using DBOutputFormat object or a customoutput format object that works well with existing fabricinfrastructure.

Technical Design

1) Create an interface IRiskScoreService, with at least one method“calculate”. The class implementing this interface is responsible forcalculating risk score for each user in the list of users and thecorresponding data/events.

2) Create an implementation class RiskScoreService implementingIRiskScoreService. Register it with spring context

3) Create a reducer called RiskScoreReducer, which is responsible forusing IRiskScoreService and invokes the calculate method. This will beused to reduce for list users and return calculated risk score for eachuser.

An Exemplary Risk Score and Risk Level Algorithm

In an embodiment, a risk score of an entity such as user is the totalsum of all the scores contributed by the matching rules. Thus, if anentity matches 5 rules and each rule contributes 25 points, then therisk score of the entity is 125. It should be appreciated that unlessrestricted at configuration time, the risk scores can potentially belarge numbers when the rule contribution scores are large. In anembodiment, it is recommended that the possible rule score contributionsare restricted to a range of values, such as for example 0 to 100, toavoid variable value overflows in case of many rule matches and to avoidoverly skewed data, i.e. some rules have tiny scores and some haveextremely large scores.

In an embodiment, the risk level of an entity is a mapping of the riskscore to a value between 0 and 100. To determine the risk level of anentity, following are two approaches in accordance with one or moreembodiments herein:

-   -   Risk level is percentile (or similar) score of all the        calculated risk scores of all the entities. The algorithm        involves first calculating risk scores of all the entities and        then determines the percentile of each entity with respect to        other entities. Other statistical methods such as z-scores        (which use ‘mean’ and up to 6 ‘standard deviations’ to include        around 95% of scores) can be employed as well. One possible        issue can be that there may be entities that have their        percentile (or similar score) in 80's and 90's irrespective of        however small their total risk score is, and thus their risk        level can always be “high” for such entities.    -   Risk levels can be calculated as percentage of total of all rule        scores. An issue with this approach alone may be that the actual        risk score for matched rules for an entity may be too skewed        towards the lower spectrum of possible score range. For example,        when sum total of all rule score contributions is 1000 from 100        rule score contributions and when the entity matches 5 critical        rules for a total of whopping 200 risk score, the risk level can        still be 20, which may not reflect the true risk level.

To avoid the above issues, embodiments can include the followingapproaches for determining risk levels:

Create entity groups to group related rules together. The entity groupscan help localize the importance of each rule within their group and canlater help the matched rules contribute to the overall risk level of theentity in a more reasonable way. For example, the details in thefollowing points may apply.

It is assumed that the entity groups are created in such a way that theentities satisfy rules as much as possible from a single group. On theother hand the entity group needs to be compact enough so as to maximizeits relevance in the overall risk level determination, e.g. the detailsin following points.

It is possible that a rule can be assigned multiple distinct entitygroups, i.e. a rule can be present in more than one group.

Algorithm:

The risk level for any entity involves two parts. The first part usesconfiguration performed by an administrator to a determine maximum (max)risk score that can used as the 100. This calculation can be performedonce before calculating the risk level for the selected entities. Thesecond part uses the matched rules for an entity to determine the riskscore per configured group and the max group score is used to determinethe risk level as follows:

Using Configuration:

Using the risk scores specified in the rules configuration, determinethe Risk Level-100:

-   -   Calculate the group score for a group G_(i) as follows

${G_{i} = {\sum\limits_{j = 1}^{n}\; r_{j}}},$

-   -   where r_(j) is risk score of rule R_(j) in group G_(i)    -   Determine the Risk Level-100, σ₁₀₀ as follows        σ₁₀₀=max_(i=1) ^(N) G _(i), where N is total number of entity        groups

Using Entity Risk Scores:

Using the risk scores obtained from the matched rules for an entity,determine the Risk Level of the entity as follows:

-   -   Calculate the entity group score G_(ei) as follows

${G_{ei} = {\sum\limits_{k = 1}^{n}\; r_{k}}},$

-   -   where r_(k) is the risk score of        -   matched rule R_(k) in group G_(ei) for entity e    -   Determine the max Risk Level for entity e, σ_(e) _(max) as        follows        σ_(e) _(max) =max_(i=1) ^(N) G _(ei), where N is total number of        entity groups    -   Calculate the scaled entity risk level σ_(e), as follows:        σ_(e)=(σ_(e) _(max) /σ₁₀₀)*100, rounding to nearest integer.

An Exemplary Risk Score Data Source Implementation

An exemplary risk score data source implementation is provided inaccordance with an embodiment. Following are nine definitions ofparticular objects in an embodiment. It should be appreciated that thesedetails are illustrative only and are not meant to be limiting. Oneskilled in the art could readily make substitutions, additions, oromissions of the particular details and still be within the scope of theinvention.

1. Implement Risk Score Data Source—Identity (User Details)

Retrieve the details from Identity User Detail table(IDMUserDetails—AAXT_IDMUSER_DETAILS. Create a map object and storeattribute name as key and for the value store attribute value. See TableD.

TABLE D Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPAttrEvent Multipleobject of RiskScoreCEPAttrEvent based on of Identity Set jobId: frominput of JobId Set userId: COLUMN1 of IDMUserDetails Set attributeValues(Map Object): add all the attributes of the user from IDMUserDetailswith key and value to the attributeValues (To get the attribute name,use the UserFieldMappingDetails - AAXM_USR_FLD_MAP and to attributevalue from IDMUserDetails COLUMN<COL_LOC>. COL_LOC is AAXM_USR_FLD_MAP.)

2. Implement Risk Score Data Source—Incident Reporting (Manual)

Retrieve the details from Incident Report Tables (AAAT_INCIDENT_REPORT,AAAT_INCIDENT_REPORT_USER) and return the details in an objectRiskScoreDataSourceData as below, in Table E:

TABLE E Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPMnIIncdtEventMultiple object of RiskScoreCEPMnIIncdtEvent based on number of personinvolved in one incident Set jobId: from input of JobId Set userId:Person involved from Incident Report Set severity: Severity fromIncident Report Set eventDate: Incident Date from Incident Report

3. Implement Risk Score Data Source—Incident Reporting (Auto)

Retrieve the details from Cases (Cases—AAAT_RAS_CASE, CaseAttribute—AAAT_RAS_CASE_ATTR) and return the details in an object

RiskScoreDataSourceData as below in Table F:

TABLE F Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPAutoIncdtEventMultiple object of RiskScoreCEPAutoIncdtEvent based on number of AlertGenerated for person involved Get all the cases based on action workflow type. Set jobId: from input of JobId Set userId: attributeValuefrom CaseAttribute table where attributeName is UserId Set eventDate:Created date from case table Set ruleId: id from ActionRuleConfig tableSet ruleName: ruleId from ActionRuleConfig table

4. Implement Risk Score Data Source—Activity

Retrieve the details from Cases (Risk Score Cases—ARST_CASE, Risk ScoreCase Attribute—ARST_CASE_ATTR) and return the details in an objectRiskScoreDataSourceData as below in Table G:

TABLE G Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPActivityEventMultiple object of RiskScoreCEPActivityEvent based on number of RiskSocre Case generated for person involved Set jobId: from input of JobIdSet userId: attributeValue from RiskScoreCaseAttribute table whereattributeName is UserId Set severity: Severity from RiskScoreCase tableSet eventDate: Created date from RiskScoreCase table Set ruleId: id fromActionRuleConfig table Set ruleName: ruleId from ActionRuleConfig table

5. Implement Risk Score Data Source—Resources

Retrieve the details UserMasterSystems AFBC_USER_MASTER_SYSTEMS andSysConnectorLight AFBCSYS_CONNECTORS. Return the details in an objectRiskScoreDataSourceData as below in Table H:

TABLE H Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPResourceEventMultiple object of RiskScoreCEPResourceEvent based on number of usersSet jobId: from input of JobId Set userId: systemUserId fromUserMasterSystems Set resourceId: perSystemId from UserMasterSystems SetresourceName: name from SysConnectorLight Set eventDate:lastModifiedDate from UserMasterSystems

6. Implement Risk Score Data Source—Resources Roles

Retrieve the details UserRoles—AFBC_USER_ROLES andSysConnectorLight—AFBCSYS_CONNECTORS. Return the details in an objectRiskScoreDataSourceData as below in Table I:

TABLE I Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPResRoleEventMultiple object of RiskScoreCEPResRoleEvent based on number of users SetjobId: from input of JobId Set userId: userId from UserRoles SetresourceRoleName: objName from UserRoles Set resourceId: perSystemIdfrom UserRoles Set resourceName: name from SysConnectorLight SeteventDate: lastModifiedDate from UserRoles

7. Implement Risk Score Data Source—Enterprise Roles

Retrieve the details UserEntRoles—AFBC_USER_ENTROLES. Return the detailsin an object RiskScoreDataSourceData as below in Table J:

TABLE J Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPEntRoleEvt Multipleobject of RiskScoreCEPEntRoleEvt based on number of users Set jobId:from input of JobId Set userId: userId from UserEntRoles SetenterpriseRoleName: objName from UserEntRoles Set eventDate:lastModifiedDate from UserEntRoles

8. Implement Risk Score Data Source—Training

Retrieve the details UserTrainingDetails—AFBCLMS_COURSE. Return thedetails in an object RiskScoreDataSourceData as below in Table K:

TABLE K Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPTrainingEventMultiple object of RiskScoreCEPTrainingEvent based on number of users inthe training table Set jobId: from input of JobId Set userId: userIdfrom UserTrainingDetails Set enterpriseRoleName: courseName fromUserTrainingDetails Set startDate: startDate from UserTrainingDetailsSet endDate: endDate from UserTrainingDetails

9. Implement Risk Score Data Source—Mitigation Control

Retrieve the details RnlMitigationUser—ARIT_MITUSER andRnlRiskMitigationControl—ARIT_MITCTRL. Return the details in an objectRiskScoreDataSourceData as below in Table L:

TABLE L Attributes Value dataSourceName Set the dataSourceName from theinput of RiskScoreDataSource Object dataSourceType Set thedataSourceType from the input of RiskScoreDataSource Object entityTypeRiskScoreConstants. ENTITY_TYPE_IDENTITY entityId User IdinputEventClassName inputEvents List of RiskScoreCEPMitCtrlEventMultiple object of RiskScoreCEPMitCtrlEvent based on number of users inthe Mitigation Control table Set jobId: from input of JobId Set userId:userId from RnIMitigationUser Set rskMitCtlId: rskMitCtlId fromRnIRiskMitigationControl Set mitigationControlId: riskMitCtrl fromRnIMitigationUser Set validFrom: startDate from RnIMitigationUser SetvalidTo: endDate from RnIMitigationUser

An Example Machine Overview

FIG. 21 is a block schematic diagram of a system in the exemplary formof a computer system 2100 within which a set of instructions for causingthe system to perform any one of the foregoing methodologies may beexecuted. In alternative embodiments, the system may comprise a networkrouter, a network switch, a network bridge, personal digital assistant(PDA), a cellular telephone, a Web appliance or any system capable ofexecuting a sequence of instructions that specify actions to be taken bythat system.

The computer system 2100 includes a processor 2102, a main memory 2104and a static memory 2106, which communicate with each other via a bus2108. The computer system 2100 may further include a display unit 2110,for example, a liquid crystal display (LCD) or a cathode ray tube (CRT).The computer system 2100 also includes an alphanumeric input device2112, for example, a keyboard; a cursor control device 2114, forexample, a mouse; a disk drive unit 2116, a signal generation device2118, for example, a speaker, and a network interface device 2128.

The disk drive unit 2116 includes a machine-readable medium 2124 onwhich is stored a set of executable instructions, i.e. software, 2126embodying any one, or all, of the methodologies described herein below.The software 2126 is also shown to reside, completely or at leastpartially, within the main memory 2104 and/or within the processor 2102.The software 2126 may further be transmitted or received over a network2130 by means of a network interface device 2128.

In contrast to the system 2100 discussed above, a different embodimentuses logic circuitry instead of computer-executed instructions toimplement processing entities. Depending upon the particularrequirements of the application in the areas of speed, expense, toolingcosts, and the like, this logic may be implemented by constructing anapplication-specific integrated circuit (ASIC) having thousands of tinyintegrated transistors. Such an ASIC may be implemented with CMOS(complementary metal oxide semiconductor), TTL (transistor-transistorlogic), VLSI (very large systems integration), or another suitableconstruction. Other alternatives include a digital signal processingchip (DSP), discrete circuitry (such as resistors, capacitors, diodes,inductors, and transistors), field programmable gate array (FPGA),programmable logic array (PLA), programmable logic device (PLD), and thelike.

It is to be understood that embodiments may be used as or to supportsoftware programs or software modules executed upon some form ofprocessing core (such as the CPU of a computer) or otherwise implementedor realized upon or within a system or computer readable medium. Amachine-readable medium includes any mechanism for storing ortransmitting information in a form readable by a machine, e.g. acomputer. For example, a machine readable medium includes read-onlymemory (ROM); random access memory (RAM); magnetic disk storage media;optical storage media; flash memory devices; electrical, optical,acoustical or other form of propagated signals, for example, carrierwaves, infrared signals, digital signals, etc.; or any other type ofmedia suitable for storing or transmitting information.

Further, it is to be understood that embodiments may include performingoperations and using storage with cloud computing. For the purposes ofdiscussion herein, cloud computing may mean executing algorithms on anynetwork that is accessible by internet-enabled or network-enableddevices, servers, or clients and that do not require complex hardwareconfigurations, e.g. requiring cables and complex softwareconfigurations, e.g. requiring a consultant to install. For example,embodiments may provide one or more cloud computing solutions thatenable users, e.g. users on the go, to access identity and asset riskscore intelligence and to perform threat mitigation on suchinternet-enabled or other network-enabled devices, servers, or clients.It further should be appreciated that one or more cloud computingembodiments include access identity and asset risk score intelligenceand threat mitigation using mobile devices, tablets, and the like, assuch devices are becoming standard consumer devices.

An Exemplary Big Data Solution for Security and Continuous Monitoring

It has been found that one challenge facing security operations is thatby the time the analysis is complete it is usually too late to takesteps to mitigate the risks.

Thus, one or more embodiments provide, but are not limited to providing:

-   -   Logical-physical security convergence software with insider        threat prevention that automates all aspects of enrollment,        credentialing and issuance related to the airport badging        office;    -   Situational intelligence, incident management, reporting,        response and automated remediation to enhance the Airport and        Security Operations Center;    -   Predictive analytics that connects the dots across multiple        actions that now paint a much more sinister picture;    -   Ability to analyze huge amounts of data from disparate sources;        and    -   Large data sets from multiple disparate sources that could pose        a large problem.

An embodiment can be understood with reference to FIG. 22, a schematicdiagram of an architecture of a solution. Control systems, networkdevices, etc., provide input data into an alert sentry that hosts asituational intelligence component, remediation workflow component, ruleauthoring component, and event correlation component. Alert sentry isconfigured to provide video monitoring and geo-spatial analytics. Alertsentry is in communication with data stores and processes comprising butnot limited to human resources, a video management system, etc.

Important features.

In an embodiment, important features include but are not limited to:

-   -   Business user friendly rule creation    -   Data acquisition from variety of systems        -   Physical Access Control systems (AMAG, Lenel, Ccure etc.)        -   IT Systems (SAP, AD, Routers, IDS etc.)        -   Control Systems (SCADA, RTU, IEDs, PI etc.)    -   Event processing and correlation    -   Situational intelligence        -   Video Monitoring, live and incident recording views        -   Locational intelligence through geo-spatial analytics        -   Personnel info and access history        -   Real time views    -   Automated Guidance for Remediation        -   Configurable remediation steps        -   Automatic task completion

An embodiment can be understood with reference to FIG. 23, a flowdiagram of anomaly detection through predictive analytics. Eventsarchive data are formatted into input data into a machine learning,un-supervised pattern recognition component, which sends data to aprofile repository, which provides data to an anomaly detection process,which generates output, such as graphs, and which also takes in newevents.

An embodiment can be understood with reference to FIG. 24, a schematicdiagram showing the data and processes that interact with the riskprofile/score component. It shows what data and processes are used togenerate a risk score.

An embodiment can be understood with reference to FIG. 25, a samplescreen shot showing risk score details.

An embodiment can be understood with reference to FIG. 26, a schematicdiagram showing the data and processes that contribute to a situationalawareness and incident response.

An embodiment can be understood with reference to FIG. 27, a schematicdiagram showing the data and processes for a unified identity profile toenables intelligent decision making.

An embodiment can be understood with reference to FIG. 28, a samplescreen shot of mobility solutions.

Systems, Structures, and Processes for Interconnected Devices and RiskManagement

Techniques are provided that produce a risk profile consisting of a riskscore and trends of risk scores across devices and sensors in amachine-to-machine (M2M) or Internet of things (IOT) environment. Forexample, a device is assigned a risk score which is based on baselinefactors such as expected network packets between two devices, normalnetwork packets, access to critical devices, authorized access requestsfrom one device to another device, normal communications to a device,and the critical ports of a device; access to and conflicts acrossphysical, logical, and operational systems; historical and current usageof these systems, and anomalies from normal behavior patterns.Techniques encompass risk management by computing a risk score in atimely fashion in accordance with an architecture that enables achievingthe required scaling necessitated by the huge number of devices in themachine-to-machine (M2M) or Internet of things (IOT) environment.

The identity and asset risk scoring framework provides an excellentfoundational mechanism for an IOT risk management mechanism. However,because IOT includes machine-to-machine communication between a fairlylarge number of devices, the data volume requirement is huge andrequires a scalable, high throughput and robust mechanism. Thus, in anembodiment additional risk contributing factors for IOT are incorporatedinto the existing identity and asset risk scoring contributing factors.

As background it has been found that in the past few years a newparadigm has emerged referred to as the Internet Of Things (“IOT”). IOThas received massive attention and adoption. IOT is combination of theinterconnection of devices and sensors, etc. (things) and their dataexchange (referred to as machine to machine (M2M)). M2M also includesbut is not limited to remote control capability. An IOT environmentenables devices to become smart. Usage of IOT is in many differentindustries such as energy and utility, healthcare, manufacturing, smartcities, wearable, and automotive to name a few. As per some estimates,by 2020 there will be 20 to 30 billion interconnected devices. With thepervasive use of IOT, interconnection, and wifi enabled devices,security of the devices becomes a risk, which needs to addressed byorganization.

DESCRIPTION

Sensors and devices usually exchange data within sub-second intervals.When considering huge number of networked devices and each devicecommunicating with multiple devices, the data collection volume caneasily go up to petabytes of data in a day. It has been found that forrisk score computation purposes, the traditional method of datacollection does not scale. Traditional methods of data collection handlehuman to device and vice a versa. Here, one or more embodiments handledata collection methods for device to device interactions. The number ofdevice to device interactions is vastly larger than the number of humanto device interactions. Thus, a robust, fail safe, distributed andlinearly scalable system is needed to handle device to deviceinteractions in a timely manner. An embodiment can be understood withreference to FIG. 30. FIG. 30 is a schematic diagram showing a technicalarchitecture depicting a design using a distributed and linearlyscalable data collection mechanism, such as for example but not limitedto Apache Flume. A distributed and linearly scalable data collectionmechanism provides a conduit to acquire data from external or internalsources and transport the data in a failsafe manner to a repository thatcan be referred to as a sink. In an embodiment the sink can be a RDBMS,HDFS, or HBASE for example as shown at the bottom of FIG. 29. The eventsare stored in HBASE and the details about the assets and theirrelationships and other structured data are stored in the Alert DBRDBMS.

Application of predictive analytics and machine learning techniquesplays a huge role in anomaly detection and potential risk incidentidentification. Once machine data is collected, using density basedclustering techniques, any anomalous transaction in the M2Mcommunication can be detected and contributed towards the asset riskscore mechanism according to an embodiment. In an embodiment densitybased clustering techniques are applied to specific parameters and datacorresponding to the valid devices and sensors in the IOT environment.

In an embodiment during machine data acquisition, real time analysis isperformed to identify critical risks such as but not limited to ananomalous network packet between two devices. In an exampleimplementation, Spark Streaming is a employed for the analysisprocessing. In an embodiment the analysis processor provides real timeprocessing handles hundreds of thousands of events, e.g., from devicesor sensors. In an embodiment a distributed message broker mechanism thatprovides loss less delivery is preferred. As an implementation example,KAFKA provides a distributed message broker mechanism. FIG. 29 depicts amechanism for real-time processing and analysis of the machine data.

Following is a list of contributing factors considered as part of riskscoring computation as it pertains to IOT according to an embodiment. Itshould be appreciated that the list is not exhaustive.

-   -   Unexpected network packet between two devices, e.g. detection of        user datagram protocol (UDP) message between a temperature        sensor and a server. For example, an intruder may be trying to        inappropriately increase the temperature of a device.    -   Anomalous network packet; e.g. detection of Internet control        message protocol (ICMP) messages between two devices, which had        not been previously detected. For example one device may be        trying to determine if a server is up, which may be suspicious        activity to an enterprise or organization.    -   Access permission for one device to another critical device by        looking at Identity Of Things (IDOT) systems. IDOT is a method        or protocol for assigning unique identities to things within the        IOT.    -   Unauthorized access attempts from one device to another device.    -   Multiple loss of communication to a device. For example the        multiple loss of communication to advice could be benign or it        could indicate someone or something is staging a man in the        middle attack. Another example may be that someone or something        is trying to tie up a server or device as another form of        attack.    -   Critical ports open on a device.

These and other contributing factors are used to compute a risk scorefor a particular device or things such as a sensor. When the risk scoreis high it may be indicative that the device or thing is a high risk.Knowing whether a device or thing is a high risk enables someone or somesystem to manage or mitigate such high risk.

FIG. 31 is a sample screen shot of a plurality of assets, e.g. devicesand sensors at facilities in Loudon, Brambleton, Cloverhill, etc.,potentially at risk on a geographic information system (GIS) map,according to an embodiment of the invention; and

FIG. 32 is a sample screen shot of asset risk score visualization for aparticular asset of FIG. 31, according to an embodiment of theinvention. The user interface shows that the risk score for Deltavilleis 40. A pectoral indicator depicts that such risk score indicates thatthe site is considered a medium risk. The interface shows that there arezero alerts a risk score of 40 and an occupancy of 9. The user interfaceindicates a total of six records are viewable. Data for each recordinclude the work item number, the description, the severity and whensuch work item was created.

Although the invention is described herein with reference to thepreferred embodiment, one skilled in the art will readily appreciatethat other applications may be substituted for those set forth hereinwithout departing from the spirit and scope of the present invention.Accordingly, the invention should only be limited by the Claims includedbelow.

The invention claimed is:
 1. A computer-implemented method for providingentity risk score intelligence, comprising the steps of: receivingbaseline scoring data, associated with valid devices on amachine-machine network, at an entity warehouse, wherein the entitywarehouse comprises a risk scoring and predictive analytics engine thatprovides entity risk score intelligence regarding an entity based inpart of said baseline scoring data; performing, at the entity warehouse,ongoing monitoring of (a) behavior and anomaly processes and data ofsaid valid devices and (b) changes and behaviors processes and data ofsaid valid devices, wherein each such processes and data impact theentity risk score intelligence; wherein the risk scoring and predictiveanalytics engine generates a risk score of the entity that is the totalsum of all risk scores contributed by matching rules and generates arisk level, wherein the risk level is a mapping of the risk score to avalue between 0 and 100; wherein the risk scoring and predictiveanalytics engine runs on a big data platform on a network and usesin-memory database processing; and providing system response andautomatically generating real-time alerts when said risk score exceeds adefined threshold; wherein said generating a risk level uses entitygroups, wherein the entity groups are entities that are groupedaccording to how their respective rules are related, wherein theentities satisfy rules from a single group, and wherein each entitygroup is compact and maximizes its relevance in the overall risk leveldetermination; wherein generating the risk level for any entity involvestwo parts, wherein the first part uses a configuration performed by anadministrator to a determine maximum risk score that can used as the100, wherein this calculation is performed once before calculating therisk level for the selected entities, wherein the second part uses thematched rules for an entity to determine the risk score per configuredentity group and the maximum entity group score is used to determine therisk level; wherein the entity warehouse comprises an identity profile,access information, risk score information, and behavior pattern dataregarding a particular entity; and wherein one or more steps areperformed on at least a processor coupled to at least a memory.
 2. Themethod of claim 1, wherein determining the risk level is performed asfollows: using the risk scores specified in the rules configuration,determine the Risk Level-100 by: calculating the group score for a groupG_(i) as: ${G_{i} = {\sum\limits_{j = 1}^{n}\; r_{j}}},$  where r_(j) isrisk score of rule R_(j) in group G_(i) and determining the risklevel-100, σ₁₀₀ as:σ₁₀₀=max_(i=1) ^(N) G _(i), where N is total number of entity groups andusing the entity risk scores by using the risk scores obtained from thematched rules for an entity to determine the risk level of the entity asfollows: calculating the entity group score G_(ei) as:${G_{ei} = {\sum\limits_{k = 1}^{n}\; r_{k}}},$ where r_(k) is the riskscore of matched rule R_(k) in group G_(ei) for entity e; determiningthe max risk level for each entity e, σ_(e) _(max) as:σ_(e) _(max) =max_(i=1) ^(N) G _(ei), where N is total number of entitygroups and calculating the scaled entity risk level σ_(e), as:σ_(e)=(σ_(e) _(max) /σ₁₀₀)*100, rounding to nearest integer.
 3. Themethod of claim 1, wherein baseline scoring data comprise identity data,access data, training, screenings, and incidents data, and historicalactivity data.
 4. The method of claim 1, wherein a risk score iscomputed and said computation of said risk score is based on configuredrules regarding: (a) identity behavior anomaly including an employeelogging into an intrusion prevention system during off hours and anemployee badging into a critical area at a time outside his normalhours, (b) one or more identity entitlements including an area to whichan employee has access, one or more systems to which an employee hasaccess, and (c) one or more identity attribute data including: adepartment to which an employee belongs, a number of days an employee isemployed, employee human resources data, one or more identity changes,any training undertaken by an employee, any expired training, anyscreening/background check results, and any citations received by theemployee.
 5. The method of claim 1, wherein providing response andalerting comprises providing reports, analytics, and alerts.
 6. Themethod of claim 1, wherein the risk scoring and predictive analyticsengine runs on Hadoop and SAP HANA and comprises the steps of: reading,by a risk score job client, one or more lists of datasources from adatabase using an Hadoop database input formal object; creating, by saidHadoop database input formal object, splits from the one or more listsof datasrouces; mapping, by a mapper, each datasource as a single taskassigned to a Hadoop datanode; wherein each mapper extracts informationor events from a datasource and collects the extracted information orevents by entity id; wherein in case of simulation, the mapper mergesthe extracted information or events with previously sent simulationinformation or events sent and wherein the mapper collects theinformation or events by entity id; performing, by an extractor, anextraction operation wherein utility class(es) extract incremental orfull data from specific types of datasource and for specified users whenused for simulation; sending, by said extractor, data back to saidmapper and said mapper sending data back to said risk score job client;invoking a rule evaluation reducer that is a Hadoop reducer responsiblefor calculating risk score or the risk level using matched rules; saidrule evaluation reducer invoking a rule engine to call a match ruleoperation to determine matched rules and returns the rule matchingresults to said rule evaluation reducer; said rule evaluation reducerinvoking a risk score calculator to calculate one or more risk scoresbased on the rule matching results and return the risk score results tosaid rule evaluation reducer; said rule evaluation reducer invoking therisk score calculator to calculate one or more risk levels and returnthe risk level results to said rule evaluation reducer; sending, by saidrule evaluation reducer, result data to said risk score job client;requesting, by said risk score job client, an Hadoop output formatobject to format and return data comprising: userid, risk score, risklevel, data source names, and readable rule and data values for saidmatched rules; wherein said risk score job client provides said returneddata for reports, alerts, and analytics.
 7. The method of claim 1,wherein said risk scoring and predictive analytics engine uses aresource reconciliation policy configuration, to reconcile identities orusers from various subsystems, said various comprising any of or anycombination of physical access control systems (PACS), operationalsystems comprising any of or any combination of SCADA, EMS, and HMI, andIT systems comprising any of or any combination of ERP, financialsystems, and IDS/IPS systems, wherein said resource reconciliationpolicy configuration allows: setting mode to incremental or full whereinsaid incremental mode setting causes performing identity reconciliationonly for those identity records which have been modified and whereinsaid full setting causes all identity records to be included for riskscore calculation; setting whether polling is enabled and, when yes,receiving a time interval user input which causes polling to beperformed as per the user inputted time interval; setting one or moreidentity events comprising any of or any combination of (a) change inemployee job role, (b) employee termination, (c) conversion from parttime to full time; selecting a corresponding action to be taken inresponse to any of: adding an entitlement or performing an identityupdate action; setting whether the one or more identity events with saidcorresponding action is a risk; setting whether to generate anotification when the corresponding event is detected; setting acorresponding configurable workflow, when available; providingfile-based reconciliation by allowing inputting a path to a file and apath to an archive location; and setting conditions when a source isinoperational or unreachable by: setting the option to skip or continuethe job and send an alert for manual intervention, providing aparticular alert notification template, and providing a list ofaddresses to which to send the alert; or setting the option to wait andretry, setting the maximum number of retries, and setting a particularalert notification and providing a list of addresses to which to sendthe alert for when after the retries, the target is still down.
 8. Asystem for providing entity risk score intelligence, comprising: atleast one processor operable to execute computer program instructions;and at least one memory operable to store computer program instructionsexecutable by said at least one processor, for performing: receivingbaseline scoring data, associated with valid devices on amachine-machine network, at an entity warehouse, wherein the entitywarehouse comprises a risk scoring and predictive analytics engine thatprovides entity risk score intelligence regarding an entity based inpart of said baseline scoring data; performing, at the entity warehouse,ongoing monitoring of (a) behavior and anomaly processes and data ofsaid valid devices and (b) changes and behaviors processes and data ofsaid valid devices, wherein each such processes and data impact theentity risk score intelligence; wherein the risk scoring and predictiveanalytics engine generates a risk score of the entity that is the totalsum of all risk scores contributed by matching rules and generates arisk level, wherein the risk level is a mapping of the risk score to avalue between 0 and 100; wherein the risk scoring and predictiveanalytics engine runs on a big data platform on a network and usesin-memory database processing; and providing system response andautomatically generating real-time alerts when said risk score exceeds adefined threshold; wherein said generating a risk level uses entitygroups, wherein the entity groups are entities that are groupedaccording to how their respective rules are related, wherein theentities satisfy rules from a single group, and wherein each entitygroup is compact and maximizes its relevance in the overall risk leveldetermination; wherein generating the risk level for any entity involvestwo parts, wherein the first part uses a configuration performed by anadministrator to a determine maximum risk score that can used as the100, wherein this calculation is performed once before calculating therisk level for the selected entities, wherein the second part uses thematched rules for an entity to determine the risk score per configuredentity group and the maximum entity group score is used to determine therisk level; wherein the entity warehouse comprises an identity profile,access information, risk score information, and behavior pattern dataregarding a particular entity.
 9. The system of claim 8, whereindetermining the risk level is performed as follows: using the riskscores specified in the rules configuration, determine the RiskLevel-100 by: calculating the group score for a group G_(i) as:${G_{i} = {\sum\limits_{j = 1}^{n}\; r_{j}}},$  where r_(j) is riskscore of rule R_(j) in group G_(i) and determining the risk level-100,σ₁₀₀ as:σ₁₀₀=max_(i=1) ^(N) G _(i), where N is total number of entity groups andusing the entity risk scores by using the risk scores obtained from thematched rules for an entity to determine the risk level of the entity asfollows: calculating the entity group score G_(ei) as:${G_{ei} = {\sum\limits_{k = 1}^{n}\; r_{k}}},$ where r_(k) is the riskscore of matched rule R_(k) in group G_(ei) for entity e determining themax risk level for each entity e, σ_(e) _(max) as:σ_(e) _(max) =max_(i=1) ^(N) G _(ei), where N is total number of entitygroups; and calculating the scaled entity risk level σ_(e), as:σ_(e)=(σ_(e) _(max) /σ₁₀₀)*100, rounding to nearest integer.
 10. Thesystem of claim 8, wherein a risk score is computed and said computationof said risk score is based on configured rules regarding: (a) identitybehavior anomaly including an employee logging into an intrusionprevention system during off hours and an employee badging into acritical area at a time outside his normal hours, (b) one or moreidentity entitlements including an area to which an employee has access,one or more systems to which an employee has access, and (c) one or moreidentity attribute data including: a department to which an employeebelongs, a number of days an employee is employed, employee humanresources data, one or more identity changes, any training undertaken byan employee, any expired training, any screening/background checkresults, and any citations received by the employee.
 11. The system ofclaim 8, wherein the risk scoring and predictive analytics engine runson Hadoop and SAP HANA and comprises the steps of: reading, by a riskscore job client, one or more lists of datasources from a database usingan Hadoop database input formal object; creating, by said Hadoopdatabase input formal object, splits from the one or more lists ofdatasrouces; mapping, by a mapper, each datasource as a single taskassigned to a Hadoop datanode; wherein each mapper extracts informationor events from a datasource and collects the extracted information orevents by entity id; wherein in case of simulation, the mapper mergesthe extracted information or events with previously sent simulationinformation or events sent and wherein the mapper collects theinformation or events by entity id; performing, by an extractor, anextraction operation wherein utility class(es) extract incremental orfull data from specific types of datasource and for specified users whenused for simulation; sending, by said extractor, data back to saidmapper and said mapper sending data back to said risk score job client;invoking a rule evaluation reducer that is a Hadoop reducer responsiblefor calculating risk score or the risk level using matched rules; saidrule evaluation reducer invoking a rule engine to call a match ruleoperation to determine matched rules and returns the rule matchingresults to said rule evaluation reducer; said rule evaluation reducerinvoking a risk score calculator to calculate one or more risk scoresbased on the rule matching results and return the risk score results tosaid rule evaluation reducer; said rule evaluation reducer invoking therisk score calculator to calculate one or more risk levels and returnthe risk level results to said rule evaluation reducer; sending, by saidrule evaluation reducer, result data to said risk score job client;requesting, by said risk score job client, an Hadoop output formatobject to format and return data comprising: userid, risk score, risklevel, data source names, and readable rule and data values for saidmatched rules; wherein said risk score job client provides said returneddata for reports, alerts, and analytics.
 12. A non-transitory storagemedium having stored thereon a computer program comprising a programcode for performing, when the computer program is executed on acomputer, a method for providing entity risk score intelligence,comprising the steps of: receiving baseline scoring data, associatedwith valid devices on a machine-machine network, at an entity warehouse,wherein the entity warehouse comprises a risk scoring and predictiveanalytics engine that provides entity risk score intelligence regardingan entity based in part of said baseline scoring data; performing, atthe entity warehouse, ongoing monitoring of (a) behavior and anomalyprocesses and data of said valid devices and (b) changes and behaviorsprocesses and data of said valid devices, wherein each such processesand data impact the entity risk score intelligence; wherein the riskscoring and predictive analytics engine generates a risk score of theentity that is the total sum of all risk scores contributed by matchingrules and generates a risk level, wherein the risk level is a mapping ofthe risk score to a value between 0 and 100; wherein the risk scoringand predictive analytics engine runs on a big data platform on a networkand uses in-memory database processing; and providing system responseand automatically generating real-time alerts when said risk scoreexceeds a defined threshold; wherein said generating a risk level usesentity groups, wherein the entity groups are entities that are groupedaccording to how their respective rules are related, wherein theentities satisfy rules from a single group, and wherein each entitygroup is compact and maximizes its relevance in the overall risk leveldetermination wherein generating the risk level for any entity involvestwo parts, wherein the first part uses a configuration performed by anadministrator to a determine maximum risk score that can used as the100, wherein this calculation is performed once before calculating therisk level for the selected entities, wherein the second part uses thematched rules for an entity to determine the risk score per configuredentity group and the maximum entity group score is used to determine therisk level; wherein the entity warehouse comprises an identity profile,access information, risk score information, and behavior pattern dataregarding a particular entity.
 13. The non-transitory storage medium ofclaim 12 wherein determining the risk level is performed as follows:using the risk scores specified in the rules configuration, determinethe Risk Level-100 by: calculating the group score for a group G_(i) as:${G_{i} = {\sum\limits_{j = 1}^{n}\; r_{j}}},$  where r_(j) is riskscore of rule R_(j) in group G_(i) and determining the risk level-100,σ₁₀₀ as:σ₁₀₀=max_(i=1) ^(N) G _(i), where N is total number of entity groups;and using the entity risk scores by using the risk scores obtained fromthe matched rules for an entity to determine the risk level of theentity as follows: calculating the entity group score G_(ei) as:${G_{ei} = {\sum\limits_{k = 1}^{n}\; r_{k}}},$ where r_(k) is the riskscore of matched rule R_(k) in group G_(ei) for entity e; determiningthe max risk level for each entity e, σ_(e) _(max) as:σ_(e) _(max) =max_(i=1) ^(N) G _(ei), where N is total number of entitygroups; and calculating the scaled entity risk level σ_(e), as:σ_(e)=(σ_(e) _(max) /σ₁₀₀)*100, rounding to nearest integer.
 14. Thenon-transitory storage medium of claim 12, wherein a risk score iscomputed and said computation of said risk score is based on configuredrules regarding: (a) identity behavior anomaly including an employeelogging into an intrusion prevention system during off hours and anemployee badging into a critical area at a time outside his normalhours, (b) one or more identity entitlements including an area to whichan employee has access, one or more systems to which an employee hasaccess, and (c) one or more identity attribute data including: adepartment to which an employee belongs, a number of days an employee isemployed, employee human resources data, one or more identity changes,any training undertaken by an employee, any expired training, anyscreening/background check results, and any citations received by theemployee.
 15. The non-transitory storage medium of claim 12, wherein therisk scoring and predictive analytics engine runs on Hadoop and SAP HANAand comprises the steps of: reading, by a risk score job client, one ormore lists of datasources from a database using an Hadoop database inputformal object; creating, by said Hadoop database input formal object,splits from the one or more lists of datasrouces; mapping, by a mapper,each datasource as a single task assigned to a Hadoop datanode; whereineach mapper extracts information or events from a datasource andcollects the extracted information or events by entity id; wherein incase of simulation, the mapper merges the extracted information orevents with previously sent simulation information or events sent andwherein the mapper collects the information or events by entity id;performing, by an extractor, an extraction operation wherein utilityclass(es) extract incremental or full data from specific types ofdatasource and for specified users when used for simulation; sending, bysaid extractor, data back to said mapper and said mapper sending databack to said risk score job client; invoking a rule evaluation reducerthat is a Hadoop reducer responsible for calculating risk score or therisk level using matched rules; said rule evaluation reducer invoking arule engine to call a match rule operation to determine matched rulesand returns the rule matching results to said rule evaluation reducer;said rule evaluation reducer invoking a risk score calculator tocalculate one or more risk scores based on the rule matching results andreturn the risk score results to said rule evaluation reducer; said ruleevaluation reducer invoking the risk score calculator to calculate oneor more risk levels and return the risk level results to said ruleevaluation reducer; sending, by said rule evaluation reducer, resultdata to said risk score job client; requesting, by said risk score jobclient, an Hadoop output format object to format and return datacomprising: userid, risk score, risk level, data source names, andreadable rule and data values for said matched rules; wherein said riskscore job client provides said returned data for reports, alerts, andanalytics.